Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Finding uncompleted transactions

GratefulDude
Explorer
‎02-17-2010 09:04 PM

I have application logs that will create a log when a user makes a request like:

2010-02-17 16:13:28.515 host1:1111:application DBG User made a requst[99999-1]: FOO (12345)

It then creates another log when the request is acknowledged like:

2010-02-17 16:13:29.118 host1:1111:application DBG reply for user 12345: request acknowledged

I am able to do a search and group both logs into pairs with transaction:

host="host1" source="C:\\logs\app*" ("DBG User made a request" OR "request acknowledged") | rex "DBG User made a requst: Foo \((?<ID>\d+)\) \[" | rex "DBG reply for user (?<ID>\d+): " | transaction ID maxspan=60s startswith="DBG User made a request" endswith="request acknowledged"

and I get a nice list of all the request/acknowledge pairs grouped together. What I need is to find (and alert) when I get a request, but not a matching acknowledge.

Any ideas?

Tags (1)
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎06-11-2010 09:51 PM

This is an outstanding issue (SPL-31786) scheduled to be fixed in out next maintenance release (4.1.4)

The following search might do what you want (if ID is a unique id at least within the 60 seconds that the transactions are supposed to last):

host="host1" source="C:\\logs\app*" ("DBG User made a request" OR "request acknowledged") | rex "DBG User made a requst: Foo \((?<ID>\d+)\) \[" | rex "DBG reply for user (?<ID>\d+): " | transaction ID maxspan=60s startswith="DBG User made a request" | search NOT "request acknowledged"
0 Karma
Reply

GratefulDude
Explorer
‎06-14-2010 07:23 PM

Thanks. What worked for me was doing a |search linecount<2 from my results. That matches all of my "requests" and "answers" up into transactions that should always be 2 lines.

0 Karma
Reply

dianbo_1
Path Finder
‎05-25-2010 02:29 AM

The startswith and endswith are "eventtype=A" and "eventtype=B" in my definition. But I just get those transactions just have end event (eventtype=B), and it can not display those just have start event(eventtype=A).

For example, if i do the search "eventtype=A | transaction router ip startswith="eventtype=A" endswith="eventtype=B" keepevicted=true", i should get many uncompleted transactions, but i get none.

Any ideas?

Thanks, Dianbo.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-18-2010 01:27 AM

You should just be able to add keepevicted=true to the transaction command options, then search on evicted=1:

... | transaction keepevicted=true ... | where evicted=1

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Transaction

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-20-2010 05:19 AM

Hmm, looks like it changed at some point, you're right that in 4.0.9 the field is "closed_txn" and is the inverse of evicted, i.e., it's 1 for completed transactions.

Reply

ziegfried
Influencer
‎02-19-2010 03:12 PM

did this change for splunk 4.1? The evicted field doesn't seem to be part of the result. I had success with "… | transaction … | where closed_txn=0" though.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...